Strange Phone Proxy Remote Phone Issue

Gavin Barber · ‎02-07-2011

Hi, I'm hopeing someone can help here and point out if this is a known issue.

We've got ASA 8.3 supplying phone proxy for a few remote users. Almost all the users are working fine and have no issues what so ever, we use both 7940s and 7921 devices for phone proxy users.

However one single user keeps getting issues where the phone will be working the first time it gets connected at home but by the following morning it will not connect. Reviewing the log on the ASA shows that the phone is attempting to connect using port 2000 as if it has lost its certificate. The TFTP download is working fine, and the CTL file looks like its being deployed correctly.

Originally we thought this issue was down to a dud phone 7940 so we swapped it out. We attempted to replicate the problem ourselves but have been unable to do so. The user then took home his replacement 7940 this of course worked for the first 12- 24 hours then stopped working again, with the same symptoms, that the phone is ignoring the certificates and attempting to talk to the ASA using port 2000 rather than 2443.

We are using SCCP to deploy the phones and no other people are experiencing this issue. We've asked the user to contact their ISP along with resetting their home router, but what I want to know is if anyone has experienced the ISP blocking the SCCP Secure communications that would create this issue. We do know the user is on a very strict ISP who performs some sever Deep Packet Inspection and Packet Shaping but we didn't think this would block the secure communications entirely.

Of course if we open up port 2000 the phone registers and works but we only did that for some troubleshooting steps to see if the phone would register. We can't have external phones registering in non-secure mode for obvious reasons.

Any ideas or suggestions welcomed, especially before we go flaming the ISP.

mopauly · ‎02-07-2011

Hi Gavin,

We've had similar issues before with certain ISP's and their supplied routers, in conjuntion to port problems and one way audio problems for us with CIPC. As you noted after a router reset the user would be fine for a day or so then go back to the same issue; for us in at least one instance having the user ditch the ISP supplied router and buy their own quality unit solved the port blocking problem (Belkin routers gave us lots of issues as well). Since upgrading CUCM we no longer support proxy phones (our ASA is not currently setup for it) so we see it very rarely now. HTH.

Gavin Barber · ‎02-14-2011

Its certainly looking like its an ISP supplied router. Over here in the UK BT supply their broadband customers with the HomeHub and from discussions with them only certain features are available on the router to certain customers, consumer vs busiiness. They have refused to flash the firmware to give our users access to turn off UDP flooding and strict UDP control on the routers so its blocking the traffic at the users connection. Fortunately it wasn't anything in the cloud and we've replaced the BT Home Hub with an off the shelf purchased home router and all is well again.